Android apps have been clouded by suspicion, owing to the recent reports about their vulnerability. Just when you thought that the frenzy has settled, security researchers have come out with a white paper to prove how some of the most downloaded Android apps are vulnerable, when dealing with sensitive private information. According to a Ars Technica report, Android apps downloaded by as many as 185 million users across the world are vulnerable to hacks, which in turn could reveal users’ online banking, social networking credentials, e-mail and instant-messaging contents and more.
While the researchers did not mention the name of the apps but they have said that they are the most downloaded apps in the Google Play store. The researchers from Leibniz University of Hannover, Germany and Philipps University of Marburg, Germany, manually conducted a security audit of around 100 popular free apps and they found widespread and serious vulnerabilities. They were able to capture credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and e-mail accounts.
The security paper released by the researchers does not reveal these vulnerable apps, but stated that they are some of the most popular free apps.
Wondering how they did it? “We used a Samsung Galaxy Nexus smartphone with Android 4.0 Ice Cream Sandwich. We installed the potentially vulnerable apps on the phone and set up a Wi-Fi access point with a MITM SSL proxy. Depending on the vulnerability to be examined, we equipped the SSL proxy either with a self-signed certificate or with one that was signed by a trusted CA, but for an unrelated hostname. Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities.”